How can a media organisation implement Media Provenance and C2PA?

Media organisations can take on C2PA markings at any stage from acquisition to publication. In the long term, we would all like to see a “glass-to-glass” workflow with full C2PA support throughout the production chain. But as a first step, many publishers simply want to mark content at the point of publication — e.g. just adding “from <news publisher>”.

This is much easier to achieve in the short term, but it should be noted that there are currently only limited places that a user can view that signal. In the future, support from social media platforms may mean that the signal can be presented to users on those platforms – LinkedIn was the first platform to implement support for externally-published C2PA-signed content.

One way to allow people to view this data is to point them to public “validator” services like https://contentcredentials.org/verify  or https://originverify.iptc.org into which the URL of a piece of content is pasted or uploaded.

Publishers may want to provide more value to users at this early stage. One way of doing this is by adding useful metadata to content that can help them understand where the content has come from, what it shows, and how it was verified. Depending on the architecture of your systems, here’s an example implementation guide:

  1. Have a way to capture the metadata you want to display to users (you might already have this, or you might need to build a new screen and data storage in your CMS to do it)
  2. Once journalists have entered this and are happy to publish, then you need a software component that will take the metadata and the media, add it to a content credentials “manifest”, sign it with your certificate, and then attach it to your media. The open-source c2pa-rs library, called from an AWS Lambda function, is one way to do this. Other libraries are available, including a commercial one from Truepic.
  3. Save your new Content Credentials-attached media wherever you need to serve it to users on your website.
  4. (Optional) If there is a step in your architecture (maybe in your CDN) that modifies the media for distribution, perhaps by transcoding/resizing it, then you will need to modify this software to also sign the content with your certificate. The BBC avoided this for its initial trial, as it was small (just a few stories), and distributed our media directly to users, without transcoding or resizing. CBC worked around this by attaching a query parameter to their image URLs that tells their image CDN not to resize these images.
  5. Display the content credential on your website, by modifying your website to allow users to see the extra data that is now part of the media.
    (Optional) If you want, you can include a validator on your site, which checks that the content is signed correctly and shows the content credential to users (the Content Authenticity Initiative’s c2pa-js library and Truepic Display both do this). The BBC avoided this for its initial trial, as the media is on their website anyway, and they didn’t think they needed to do validation again in the users browser. The BBC actually saves the content credential as a JSON file next to the media, and then wrote code on their website to read the JSON file and display it to their users. 

Marking content at the point of acquisition is another option, if you control or influence some of the capture process. This can add integrity to user generated content or those involved in the media workflow at a different point of the chain. Sony, Leica and Canon have recently released cameras that include Content Credentials. The IPTC Media Provenance Committee is investigating these options.

Publishers interested in working cooperatively to advance the implementation of the C2PA standard in the news eco-system are invited to join the Media Provenance Committee at the IPTC.